Hi Rigo...
As the current Legal Counsel for the W3C and an active participant in this Tracking
Protection Working Group... I think the question(s) below are for you.
Online sites/services have been 'tracking' users for well over a decade now.
There is no doubt that some/all of these sites/services have ALREADY amassed
copious amounts of 'tracking' data that can yield behavioral information directly associated
with (identifiable) users.
What I am NOT seeing in any of the published TPWG drafts ( or on the public mailing list,
or the reports coming out of the Seattle F2F ) is any discussion about what happens
when a site/server that is reporting DNT Compliance is not 'purging' any tracking data that
it has ALREADY 'collected' for individual (identifiable) users,
Will they ( sites/servers claiming to be DNT compliant ) be REQUIRED to do that (purge existing data)
the moment they receive a (compliant) DNT=1 signal from a user that is 'identifiable' to them and for
whom they have ALREADY been collecting/storing 'tracking data'?
The question also obviously applies to 'all parties' in the 'data collection/retention/sharing'
chain. Will ALL parties who have ALREADY been 'collecting/retaining/sharing' tracking data for
this (identifiable) user be REQUIRED to 'purge' their existing data the moment this (identifiable)
user is sending a (compliant) DNT=1 signal?
For reference...
Below are the (current) 'choices' for establishing a 'definition' for both 'Tracking'
and 'Do Not Track' coming out of the Seattle F2F as well as the (current) choices
for what data 'collection/use/retention/sharing' might look like.
NOTE for the purposes of my question(s) above that the 'data collection' phase has
ALREADY taken place at some of these sites/servers. They ALREADY have 'the data'
and they are ALREADY able to 'associate that data with an identifiable user'.
>From Roy's 'definitions' post
Fri, 22 Jun 2012 01:24:14 -0700
http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0639.html
[snip]
This is a collation of not-yet-consenus definitions used in the compliance document (c1) (c2),
combo draft (cm), Shane et al's proposal (s), Jonathan et al's proposal (j), Roy's proposals (r),
and various EC directives (eu).
tracking
(c1) Tracking is the collection or use of user data via either a unique identifier or a correlated set of data points
being used to approximate a unique identifier, in a context other than "first party" as defined in this document.
(c2) Tracking is defined as following or identifying a user, user agent, or device across multiple visits to a
site (time) or across multiple sites (space).
(r1) Tracking is defined as following or identifying a user, user agent, or device across multiple visits to a
site (time) or across multiple sites (space). Mechanisms for performing tracking include but are not limited to:
* assigning a unique identifier to the user, user agent, or device such that it will be conveyed back to the server on future visits;
* personalizing references or referral information such that they will convey the user, user agent, or device identity to other sites;
* correlating data provided in the request with identifying data collected from past requests or obtained from a third party; or,
* combining data provided in the request with de-identified data collected or obtained from past requests in order to re-identify
that data or otherwise associate it with the user, user agent, or device.
(r2) Tracking is the retaining or sharing of data about a user's Internet activity in a form that remains linkable to that user,
user agent, or device across multiple Web properties that do not share a common first party (data controller).
do not track
(c2) A preference of "Do Not Track" means that the user does not want tracking to be engaged for this request, including
any mechanism for performing tracking, any use of data retained from prior tracking, and any retention or sharing of data
from this request for the purpose of future tracking, beyond what is necessary to enable:
* the limited permitted uses defined in this specification;
* the first-party (and third-parties acting as the first-party) to provide the service intentionally requested by the user; and
* other services for which the user has provided prior, specific, and informed consent.
(r1) A preference of "Do Not Track" means that the user does not want tracking to be engaged for this request, including any
mechanism for performing tracking, any use of data retained from prior tracking, and any retention or sharing of data from this
request for the purpose of future tracking, beyond what is necessary to enable:
1) the limited exemptions defined in section XX;
2) the first-party (and third-parties acting as the first-party) to provide the service intentionally requested by the user; and
3) other services for which the user has provided prior, specific, and informed consent.
(r2) A "Do Not Track" preference requires that all unnecessary tracking by third parties be disabled, meaning any tracking
other than that controlled by the first party or constrained to be within the permitted uses of ... (see Section XX), and that no
information obtained from past tracking by third parties be used to satisfy the current request.
data collection
(c1) A party "collects" data if the data comes within its control.
(cm) A party collects data if the data comes within its control and the control of that data is not transient.
(r1) "Data collection" (for the purpose of DNT) is the process of assembling data from or about one or more network interactions
and retaining/sharing that data beyond the scope of responding to the current request or in a form that remains linkable to a
specific user, user agent, or device.
(r2) [no definition, just like the regulators]
retention
(c1) A party "retains" data if data remains within a party's control.
(r) A party "retains" data if data remains within a party's control beyond the scope of the current interaction.
use
(c1) A party "uses" data if the party processes the data for any purpose other than storage.
(cm) A party uses data if the party processes the data for any purpose, including for storage.
(r) A party uses data if the party processes the data for any purpose other than merely forwarding it to another party.
sharing
(c1) A party "shares" data if the party enables another party to collect the data.
(r) A party shares data if it allows any other party to receive or access that data.
[/snip]